AD: What is the difference between local, global and universal groups?
The difference is which groups/users you can include in the different groups, which permissions can be assigned to that group, and if the group can be converted.
If you only have one domain and one tree, and you know it will stay that way forever, you really don't need to know a lot about this. But, i strongly encourage you to read this: http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx
You will hate the person who set up groups in the first place if you ever have to fix their mistake. I've had to, and it is no fun.
The difference boils down to the scope of the where the permissions are being assigned and whether members of different domains can be added as members of the group.
-
Domain Local
- Permissions can be assigned only in the local domain.
- Members can be from any domain in the forest.
- Intended for use on objects not directly in AD such as file shares, printer queues, etc.
- Should not be used to assign permissions on AD objects (e.g. OU's, User accounts, etc.) because they cannot be evaluated in other domains.
-
Global
- Permissions can be assigned in any domain.
- Members must be in the same domain as the group.
-
Universal
- Permissions can be assigned to anywhere in the forest.
- Members can be from any domain in the forest.
Sources:
Group Type and Scope Usage in Windows (Microsoft KB231273)- Active Directory Security Groups
- In Active Directory, what are the differences between universal, global, and domain local groups?